cbcvebase.
CVE-2020-15906
published 2020-10-22

CVE-2020-15906: tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
27.36%
97.8th percentile
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.

Affected

1 ranges
VendorProductVersion rangeFixed in
tikitiki>= 16.3 < 21.221.2

Detection & IOCsextracted from sources · hover to see the quote

path/tiki-login.php
path/tiki-login_scr.php
commandticket={{ticket1}}&user=admin&pass={{attempt}}&login=&stay_in_ssl_mode_present=y&stay_in_ssl_mode=n
commandticket={{ticket2}}&user=admin&pass=&login=&stay_in_ssl_mode_present=y&stay_in_ssl_mode=n
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT TikiWiki CMS Authentication Bypass (Forced Blank Admin Pass) Attempt Inbound (CVE-2020-15906)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/tiki-login.php"; http.request_body; content:"&user=admin&pass=&"; fast_pattern; reference:url,github.com/S1lkys/CVE-2020-15906; reference:cve,2020-15906; classtype:attempted-admin; sid:2031130; rev:2; metadata:created_at 2020_10_27, cve CVE_2020_15906, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
&user=admin&pass=&
  • Exploit sends 50+ POST requests to /tiki-login.php with invalid credentials to trigger admin password blank-out, then authenticates with empty password. Detect a high volume (≥50) of POST requests to /tiki-login.php from a single source IP.
  • The final exploitation step is a POST to /tiki-login.php with the body containing `user=admin` and an empty `pass=` field. This specific body pattern is the definitive indicator of the blank-password authentication attempt.
  • The exploit extracts a CSRF ticket from /tiki-login_scr.php before each login attempt. Monitoring for rapid sequential GET requests to /tiki-login_scr.php followed by POSTs to /tiki-login.php from the same session is a strong behavioral indicator.
  • Shodan/FOFA exposure query for identifying internet-facing Tiki Wiki CMS instances vulnerable to this CVE.
  • The exploit uses a fixed User-Agent string during the brute-force phase which can be used as a detection signal.
  • Post-exploitation success can be detected by monitoring for authenticated admin sessions (e.g., access to /tiki-index.php returning 'System Menu', 'Settings') immediately following a burst of failed logins to /tiki-login.php.
  • ·The exploit uses 50 threads (`threads: 50`) with a batteringram attack pattern, meaning all 50 payloads are fired concurrently. Detection thresholds should account for burst/concurrent requests rather than only sequential rate-limiting.
  • ·The vulnerability affects Tiki versions before 21.2 only. Instances already on 21.2+ are not affected and should not generate false positives from the Snort rule in normal operation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.